Stop AI Agents From SQL Injecting Your Database

2026-05-11 · Source: MLOps.community · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Intermediate, long

Summary

Avery Kit, a staff engineer at Google, discusses the MCP toolbox for databases, a customizable framework with 13,500 GitHub stars and over 100 contributors supporting 40 data sources. The toolbox provides integrated authentication, end-to-end observability, and connection pooling. Google Cloud also offers a fully managed MCP service that integrates with IDEs and CLIs like Gemini CLI. Analyzing over 20 million tool calls to Google Cloud databases in 30 days, common patterns include control plane tools for admin tasks, Natural Language to SQL (NL to SQL) for query generation, and structured SQL tools. Structured SQL tools, the most popular, are crucial for autonomous applications and untrusted users, requiring high determinism and low latency to prevent hallucinations and data breaches. The presentation emphasizes securing these tools against "confused deputy attacks" and the "lethal trifecta" of private data, untrusted content, and user communication, advocating for a zero-trust architecture.

Key takeaway

For AI Architects and CTOs building agentic applications that interact with databases, you must prioritize a zero-trust security model. Implement robust parameter control and pre-approved SQL statements to prevent "confused deputy attacks" and data breaches, especially in runtime applications with untrusted users. Your focus should be on constraining agent access to only what is strictly necessary, ensuring deterministic and low-latency operations to maintain data integrity and user trust.

Key insights

Secure database tools require constraining agent access and pre-approving SQL to prevent data breaches and ensure reliability.

Principles

• Agents are gullible; data security depends on agent security.
• A data breach occurs with private data, untrusted content, and agent communication.
• Zero-trust architecture is critical for agent-controlled systems.

Method

Abstract raw connection details, pre-approve SQL statements via YAML, use prepared statements with strongly typed parameters, and bind/authenticate parameters outside agent control to enforce security.

In practice

• Use configurable sources to abstract database credentials.
• Define custom semantic tools with pre-written SQL.
• Implement parameter binding or authenticated parameters.

Topics

• AI Agent Security
• SQL Injection Prevention
• Database Access Control
• MCP Toolbox
• Natural Language to SQL

Best for: AI Architect, CTO, VP of Engineering/Data, AI Engineer, Machine Learning Engineer, AI Security Engineer

Related on AIssential

• Prevent agentic identity theft — Local AI agents pose significant security risks due to broad system access, necessitating robust identity verification and access controls.
• An AI agent hacked McKinsey's internal AI platform in two hours using a decades-old technique — Classic SQL injection vulnerabilities can enable silent, widespread AI system manipulation via prompt and RAG data access.
• Secure agentic AI end-to-end — Securing agentic AI requires ambient, autonomous security woven into every layer of the AI estate.
• Zero Trust for AI agents — Autonomous AI agents require a tailored Zero Trust framework to counter AI-accelerated threats and unique agentic security challenges.
• #348 AI Agents in Your Systems: Speed, Security, and New Access Risks with Jeremy Epling, CPO at Vanta — AI agents offer significant automation benefits in security but introduce critical new risks requiring proactive governance and human oversight.
• Securing AI Agents with Zero Trust — Zero Trust principles are essential for securing agentic AI systems against their expanded attack surfaces.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by MLOps.community.